Mikrotik: NAT

From OnnoWiki
Jump to navigation Jump to search
/ip firewall nat

Network Address Translation is an Internet standard that allows hosts on local area networks to use one set of IP addresses for internal communications and another set of IP addresses for external communications. A LAN that uses NAT is referred as natted network. For NAT to function, there should be a NAT gateway in each natted network. The NAT gateway (NAT router) performs IP address rewriting on the way a packet travel from/to LAN.

There are two types of NAT:

  • source NAT or srcnat. This type of NAT is performed on packets that are originated from a natted network. A NAT router replaces the private source address of an IP packet with a new public IP address as it travels through the router. A reverse operation is applied to the reply packets travelling in the other direction.
  • destination NAT or dstnat. This type of NAT is performed on packets that are destined to the natted network. It is most comonly used to make hosts on a private network to be acceesible from the Internet. A NAT router performing dstnat replaces the destination IP address of an IP packet as it travel through the router towards a private network.

Hosts behind a NAT-enabled router do not have true end-to-end connectivity. Therefore some Internet protocols might not work in scenarios with NAT. Services that require the initiation of TCP connection from outside the private network or stateless protocols such as UDP, can be disrupted. Moreover, some protocols are inherently incompatible with NAT, a bold example is AH protocol from the IPsec suite.

To overcome these limitations RouterOS includes a number of so-called NAT helpers, that enable NAT traversal for various protocols.


/ip firewall nat


Source NAT

Masquerade

/ip firewall nat add chain=srcnat action=masquerade out-interface=Public


Source nat to specific address

/ip firewall nat
add chain=srcnat src-address=192.168.1.0/24 action=src-nat to-addresses=1.1.1.1 out-interface=Public
add chain=srcnat src-address=192.168.2.0/24 action=src-nat to-addresses=1.1.1.2 out-interface=Public


Destination NAT

Forward all traffic to internal host

Add Public IP to Public interface:

/ip address add address=10.5.8.200/32 interface=Public   


Add rule allowing access to the internal server from external networks:

/ip firewall nat add chain=dstnat dst-address=10.5.8.200 action=dst-nat \
	to-addresses=192.168.0.109 


Add rule allowing the internal server to initate connections to the outer networks having its source address translated to 10.5.8.200:

/ip firewall nat add chain=srcnat src-address=192.168.0.109 action=src-nat \
	to-addresses=10.5.8.200


Port mapping/forwarding

If you would like to direct requests for a certain port to an internal machine (sometimes called opening a port, port mapping), you can do it like this:

/ip firewall nat add chain=dstnat dst-port=1234 action=dst-nat protocol=tcp to-address=192.168.1.1 to-port=1234 


Port forwarding to internal FTP server

/ip firewall nat
add chain=dstnat dst-address=10.5.8.200 dst-port=21 protocol=tcp action=dst-nat to-addresses=192.168.0.109
/ip firewall filter
add chain=forward connection-state=established,related action=accept


1:1 mapping

/ip firewall nat add chain=dstnat dst-address=11.11.11.0/24 \
	action=netmap to-addresses=2.2.2.0/24
 /ip firewall nat add chain=srcnat src-address=2.2.2.0/24 \
	action=netmap to-addresses=11.11.11.0/



/ip firewall nat add chain=dstnat dst-address=11.11.11.0-11.11.11.255 \
	action=netmap to-addresses=2.2.2.0-2.2.2.255
/ip firewall nat add chain=srcnat src-address=2.2.2.0-2.2.2.255 \
	action=netmap to-addresses=11.11.11.0-11.11.11.255  


Carrier-Grade NAT (CGNAT) or NAT444

/ip firewall nat 
 add chain=src-nat action=srcnat src-address=100.64.0.0/10 to-address=2.2.2.2 out-interface=<public_if>


/ip firewall filter
 add chain=input src-address=100.64.0.0/10 action=drop in-interface=<public_if>
 add chain=output dst-address=100.64.0.0/10 action=drop out-interface=<public_if>
 add chain=forward src-address=100.64.0.0/10 action=drop in-interface=<public_if>
 add chain=forward src-address=100.64.0.0/10 action=drop out-interface=<public_if>
 add chain=forward dst-address=100.64.0.0/10 action=drop out-interface=<public_if>



Cek

/ip firewall nat print stats
/ip firewall mangle> print stats
/ip firewall mangle> print all stats
/ip firewall mangle> print stats dynamic


Pranala Menarik